A) ADSL PPPoA configuration B) Enable Firewall

lynxfatkidneyedΔίκτυα και Επικοινωνίες

26 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

111 εμφανίσεις



The Secure Router is directly connected to the ADSL interface without any ADSL modem.

Note that multiple layers are implied:

-

Layer 1 (Physical) is ADSL (int
ADSL 1/1
)

-

Layer 2 (Link Layer) is ATM (int
ATM 1
). We bind it to ADSL 1

-

Layer 2
-
1 On top
of ATM, the adaptation layer (AAL5MUX or AAL5SNAP)

define how frames are converted into ATM cells.

In ATM, data is sent on a Permanent Virtual Circuit (PVC) defined with

its
VPI / VCI.
The PVC is bound to the Point to point ATM sub
-
interface named
ATM 1.1.

-

Layer 2
-
2 is the PPP Layer defined in the logical interface
PPP 1
that used
PPPOA

-

Layer 3 is IP


Note
:

once an IP address and a password have been setup, most of this configuration can easily

be

created using the Web interface and its Firewall wizard. To beginners it will ease configuration,

to experts it will speed the configuration process.


hostname "ADSL
-
Router"

ip routing


A)

ADSL


PPPoA configuration

B)


Enable Firewall

! Enable Firewall


Requires defining Access Policy

! Access Policy defines NAT and Filters

ip firewall


DHCP Server for LAN


! Define DHCP service for the LAN in the 192.168.1.0 range

ip dhcp
-
server pool "pool
-
for
-
lan"


network 192.168.1.0 255.255.255.0

! Following given by

the provider


domain
-
name "wanadoo.fr"


dns
-
server 193.252.19.4 193.252.19.3


netbios
-
node
-
type h
-
node


default
-
router 192.168.1.1


lease 1


The LAN Interface.


interface eth 0/1


ip address 192.168.1.1 255.255.255.0

! Inbound traffic is NATed

as defined in the Access
-
policy FROM
-
LAN


access
-
policy FROM
-
LAN


no shutdown


interface eth 0/2


no ip address


shutdown


The WAN physical interface = ADSL


interface adsl 1/1

! ADSL interface auto detects ADSL mode: G.dmt, G
-
LITE, T1.413…


training
-
mode multi
-
mode


no shutdown


ATM is the encapsulation of the ADSL interface


! Traffic is sent in cells

interface atm 1 point
-
to
-
point


no shutdown

! We bind ATM interface (logical) to ADSL interface (physical)

! Note that encapsulation is aal5
mux by default. The other choice is aal5snap

! Provider provides the info


bind 1 adsl 1/1 atm 1


ATM PVC (Permanent Virtual Circuit)


! This PVC is bound to a point to point ATM interface

interface atm 1.1 point
-
to
-
point


no shutdown

! Provider tells
you what VPI/VCI (id of the PVC) to use.

! You can’t guess but you can find on Internet other examples of config


pvc 8/35


no ip address




PPP interface


interface ppp 1

! ip address is negotiated via PPP with provider’s router


ip address negotiated


no fair
-
queue

! Authentication: credentials are sent using PAP or CHAP

! For PAP, use ppp pap sent
-
username… command

! If you don’t know what protocol to use, chose either PAP or CHAP and start

! “debug ppp authentication” to check what is required by IS
P


ppp chap hostname id
-
given
-
by
-
isp


ppp chap password pw
-
given
-
by
-
isp


no shutdown

! We bind the ppp interface to the ATM 1.1


bind 2 atm 1.1 ppp 1


ACL selects the traffic to be NATed


ip access
-
list extended lan
-
acl


remark used for Nat


permit
ip any any


Policy
-
class

! It translates the Private IP source addresses (NAT) of the traffic

! of the LAN into the Public IP address of the PPP interface

ip policy
-
class FROM
-
LAN


nat source list lan
-
acl interface ppp 1 overload



(skip)




end




The
Secure Router is directly connected to the ADSL interface without any ADSL modem.


Note that multiple layers are implied:


-

Layer 1 (Physical) is ADSL (int
ADSL 1/1
)


-

Layer 2 (Link Layer) is ATM (int
ATM 1
). We bind it to ADSL 1


-

Layer 2
-
1 On top o
f ATM, the adaptation layer (AAL5MUX or AAL5SNAP)

define how frames are converted into ATM cells.

In ATM, data is sent on a Permanent Virtual Circuit (PVC) defined with

its
VPI / VCI.
The PVC is bound to the Point to point ATM sub
-
interface named
ATM 1.1.

RFC 1483
or
Routed IP over ATM mode
is used


-

Layer 3 is IP and is defined in the ATM 1.1 subinterface

Note
: once an IP address and a password have been setup, most of this configuration can easily

be created using the Web interface and its Firewall wiza
rd. To beginners it will ease configuration,

to experts it will speed the configuration process.


A) ADSL


IPoA configuration

hostname "Secure
-
Router"


ip routing



Enable Firewall


! Enable Firewall


Requires defining Access Policy

! Access Policy
defines NAT and Filters

ip firewall


DNS, DHCP service and pool


! Define DHCP service for the LAN in the 192.168.1.0 range

! Router is defines as the Default
-
gateway and DNS
-
server

ip dhcp
-
server pool "pool
-
for
-
lan"


network 192.168.1.0 255.255.255.0


dns
-
server 193.252.19.4 193.252.19.3


netbios
-
node
-
type h
-
node


default
-
router 192.168.1.1


lease 1


The LAN Interface


interface eth 0/1


ip address 192.168.1.1 255.255.255.0

! Inbound traffic is NATed as defined in the Access
-
policy FROM
-
LAN


access
-
policy

FROM
-
LAN


no shutdown


interface eth 0/2


no ip address


shutdown


The WAN physical interface = ADSL


interface adsl 1/1

! Auto detects ADSL mode: G.dmt, G
-
LITE, T1.413…


training
-
mode multi
-
mode


no shutdown


ATM is the encapsulation of the ADSL
interface


! Traffic is sent in cells

interface atm 1 point
-
to
-
point


no shutdown

! We bind ATM interface (logical) to ADSL interface (physical)

! Provider provides the info

bind 1 adsl 1/1 atm 1


ATM PVC (Permanent Virtual Circuit)


! This PVC is bound to

a point to point ATM interface

interface atm 1.1 point
-
to
-
point


no shutdown

! Provider defines what VPI/VCI (id of the PVC) to use.

pvc 8/36

! Following command defines Adaptation Layer and Routed IP over ATM option

encapsulation aal5mux ip

! IP address
is typically obtained via DHCP.

! Note that your ISP may provide a permanent address via DHCP

ip address dhcp


ACL to define IP range from which the Secure Router can be managed


ip access
-
list standard manage
-
rtr

permit 192.168.1.0 0.0.0.255


ACL to defin
e the traffic to be NATed


ip access
-
list extended lan
-
acl


remark used for Nat


permit ip any any

The Access Policy applied to the LAN Interface:

-

first lets ip packets destined to internal IP stack to manage the router

-

second

“NATs” packets destined to the Internet using the IP of the WAN interface

ip policy
-
class FROM
-
LAN


allow list manage
-
rtr self


nat source list lan
-
acl interface atm 1.1 overload


(skip)


E
nd


B) Check the connection


First check the status of your
interface ADSL and ATM is UP

Secure
-
Router#show interface adsl 1/1

adsl 1/1 is
UP
, line protocol is
UP


Link Status




Up
G.DMT


Line Type




Interleave

Line Length




9480 ft


Downstream



Upstream

Line Rate





6656 kbps




576 kbps

Current margin




9.0 dB




10.0 dB

Attenuation




38.0 dB




31.5 dB

Power





19 dBm




11 dBm

Prev Rate





0 kbps




0 kbps

Actual Delay




4 msecs



4 msecs

Loss of Framing Seconds


0




0

Loss of Signal Seconds



0




0

Loss of Power Seconds



0




0

Errored Seconds




15




2

Line Inits





1




N/A

Rx Blocks




30881



30881

Tx Blocks




30881



30881

Corrected Blocks



11069




0

UncorrectedBlocks



27





5

Last Failu
re



NONE

Last Failure Time


N/A


DMT Bits Per Bin

000: 0 0 0 0 0 0 0 8 9 9 9 9 9 9 9 9

010: 9 8 8 8 8 8 8 8 7 7 7 6 6 6 0 0

020: 0 0 0 0 0 0 8 A B B C B C C C C

030: C B 9 C D D C D D B C C C C C B

040: 0 C C C C C C C B 9 8 A 7 9 9 B

050: B B B B B B B

B A B B B A B B B

060: B B B B B 9 9 B B A 7 B B B A 9

070: A A B B A B A A 8 A A A A A 9 5

080: 9 9 A A A A 5 A A 9 8 7 2 7 9 9

090: 9 9 A 8 7 9 A 9 7 9 9 9 9 9 9 9

0A0: 9 8 4 7 9 9 9 9 9 8 9 9 9 8 9 9

0B0: 6 7 7 9 9 9 9 8 9 9 7 8 8 8 5 6

0C0: 8 8 8 8 9
8 8 9 9 8 8 5 8 8 8 8

0D0: 8 8 8 8 7 8 8 8 7 7 7 5 7 6 7 7

0E0: 7 7 7 7 5 7 7 6 6 6 7 6 6 6 6 6

0F0: 6 5 5 5 5 5 5 2 5 3 4 2 2 4 4 4


Secure
-
Router#show int atm 1

atm 1 is
UP
, line protocol is
UP


BW 576 Kbit/s


16 maximum active VCCs, 16 VCCs per VP, 1
current VCCs

Queueing strategy: Per VC Queueing


5 minute input rate 3328 bits/sec, 0 packets/sec


5 minute output rate 800 bits/sec, 0 packets/sec


484 packets input, 127924 bytes


0 pkts discarded, 0 error pkts, 0 unknown protocol pkts


3018 c
ells received, 0 OAM cells received


751 packets output, 53038 bytes


3 tx pkts discarded, 0 tx error pkts


1606 cells sent, 0 OAM cells sent


Then check your WAN interface has an IP address.

Secure
-
Router#show int atm 1.1

atm 1.1 is Active


Internet address is
82.67.71.47
, mask is 255.255.255.0 (via DHCP)


MTU is 1500 bytes


Encapsulation is AAL5


Encapsulation method is IP


VC tx ring limit: 2


Output Queue: 0/4/200/0 (size/highest/max total/drops)


487 packets input, 145152 bytes


754 packets output, 77232 bytes


3024 cells input, 1609 cells output


0 OAM cells input, 0 OAM cells output


AAL5 CRC errors : 0


AAL5 SAR Timeouts : 0


AAL5 Oversized SDUs : 0


AAL5 length violations : 0


Make sure all ip interfaces are UP.

Secure
-
Router#show ip int brief



Interface


IP Address


Status


Protocol


atm 1.1



82.67.71.47

UP



UP


eth 0/1



192.168.1.1

UP



UP




Check your routing table. Note that a default route has been generated.

Secure
-
Router#show ip route

Codes: C
-

connected, S
-

static, R
-

RIP, O
-

OSPF, B
-

BGP


IA
-

OSPF inter area, N1
-

OSPF NSSA external type 1


N2
-

OSPF NSSA external type 2, E1
-

OSPF external type 1


E2


OSPF external type 2


Gateway of last resort is 82.67.71.254 to netwo
rk 0.0.0.0


S 0.0.0.0/0 [1/0] via 82.67.71.254, atm 1.1

C 82.67.71.0/24 is directly connected, atm 1.1

C 192.168.1.0/24 is directly connected, eth 0/1


Verify your Secure Router serves IP addresses to PC clients on LAN

Secure
-
Router#show ip dhcp
-
server bin
ding

IP Address


Client Id



Lease Expiration


Client Name

192.168.1.2

01:00:0a:95:ab:bf:b0

Apr 07 2005 1:30 PM

JM


Verify that connections to the Internet from PC generate sessions on

the stateful Firewall of your Secure Router

Secure
-
Router#show ip

policy
-
sessions


Protocol (TTL)

Src IP Address Src Port Dest IP Address Dst Port
NAT IP Address NAT Port

---------------

--------

---------------

--------

-----------------

--------

Policy class "FROM
-
LAN":

tcp (600)

192.168.1.2 59869
192.168.1.1 23

udp (4)

192.168.1.2 54940 212.27.39.2 53 s 82.67.71.47 1391

udp (4)

192.168.1.2 54941 212.27.39.2 53 s 82.67.71.47 1392


Policy class "self":


Policy class "default":

tcp (6)

82.67.93.31



10
82

82.67.71.47

445


Secure
-
Router#sh ip policy
-
stats

Global 14 current sessions (83200 max)


Policy
-
class "FROM
-
LAN":


14 current sessions (27700 max)


Entry 1
-

allow list manage
-
rtr self

13979 in bytes, 206692 out bytes, 17 hits


Entry 2
-

nat source list lan
-
acl interface atm 1.1 overload

29263 in bytes, 110943 out bytes,
274 hits




The Secure Router is directly connected to the ADSL interface


Note that multiple layers are implied:

-

Layer 1 (Physical) is ADSL (int
ADSL 1/1
)

-

Layer 2
(Link Layer) is ATM (int
ATM 1
). We bind it to ADSL 1

-

Layer 2
-
1 On top of ATM, the adaptation layer (AAL5MUX or AAL5SNAP)

define how frames are converted into ATM cells.

In ATM, data is sent on a Permanent Virtual Circuit (PVC) defined with its
VPI / VCI
.
The PVC is
bound to the Point to point ATM sub
-
interface named
ATM 1.1

-

Layer 2
-
2 is the PPP Layer, defined in logical interface
PPP 1
that used
PPPOE mode.

We bind the PPP 1 interface to the ATM 1.1

-

Layer 3 is IP


Note
: once an IP address and a password have been setup, most of this configuration can
easilybe created using the Web interface and its Firewall wizard. To beginners it will ease
configuration,to experts it will speed the configuration process.


A
-

ADSL
-
PPPoE

configuration


hostname "ADSL
-
Router"

ip routing


Enable Firewall


! Enable Firewall


Requires defining Access Policy

! Access Policy defines NAT and Filters

ip firewall


DNS proxy

! On a LAN with no DNS servers, we can define the router as a proxy DNS.
It acts

! as a DNS server for the DHCP clients. It gets the DNS servers definition from

! the ISP during PPP negotiation.

ip domain
-
proxy

ip domain
-
name "yourprovider.com"


DHCP Server for LAN


! Define DHCP service for the LAN in the 192.168.1.0 range

ip
dhcp
-
server pool "pool
-
for
-
lan"


network 192.168.1.0 255.255.255.0


! The provider gives following info


domain
-
name "wanadoo.fr"


dns
-
server 192.168.1.1


netbios
-
node
-
type h
-
node


default
-
router 192.168.1.1


lease 1


The LAN Interface.


interface

eth 0/1


ip address 192.168.1.1 255.255.255.0

! Inbound traffic from the LAN is NATed as defined in the Access
-
policy FROM
-
LAN


access
-
policy FROM
-
LAN


no shutdown


interface eth 0/2


no ip address


shutdown


The WAN physical interface = ADSL


interface adsl 1/1

! ADSL interface auto detects the ADSL mode: G.dmt, G
-
LITE, T1.413…


training
-
mode multi
-
mode


no shutdown



ATM is the encapsulation of the ADSL interface


! Traffic is sent in cells

interface atm 1 point
-
to
-
point


no shutdown

! We
bind ATM interface (logical) to ADSL interface (physical)

! Note that encapsulation is aal5snap by default. The other choice is aal5mux

! Your provider must provide this info


bind 1 adsl 1/1 atm 1


ATM PVC (Permanent Virtual Circuit)


! ATM cells are tra
nsmitted over a PVC.

! The PVC is defined in a point to point ATM sub
-
interface

interface atm 1.1 point
-
to
-
point


no shutdown

! Provider tells you what VPI/VCI (id of the PVC) to use.

! You can’t guess but you can find on Internet other examples of config


pvc 8/35


no ip address


PPP interface


interface ppp 1

! The ip address is negotiated via PPP with provider’s router

! As on a PC connection, router gets DNS servers info and IP of concentrator


ip address negotiated


no fair
-
queue

! Authentication:

credentials are sent using PAP or CHAP

! For PAP, use ppp pap sent
-
username… command

! If you don’t know what protocol to use, chose either PAP or CHAP and start

! “debug ppp authentication” to check what is required by ISP


ppp chap hostname id
-
given
-
by
-
isp


ppp chap password pw
-
given
-
by
-
isp


no shutdown


! We bind the ppp interface to the ATM 1.1 specifying we’re in PPPoE mode


bind 2 atm 1.1 ppp 1 pppoe
-
client


ACL defines the traffic to be NATed


ip access
-
list extended lan
-
acl


remark used for Nat


permit ip 192.168.1.0 0.0.0.255 any



Policy
-
class


! It translates the Private IP source addresses (NAT) of the traffic

! of the LAN into the Public IP address of the PPP interface

ip policy
-
class FROM
-
LAN


nat source list lan
-
acl interface ppp

1 overload


(skip)


e
nd


B
-

Check the status of the configuration


! Note the ADSL interface is UP and the ADSL type is G.DMT.

! Note the downstream and upstream rates of the ADSL interface


ADSL
-
Router#
show int adsl 1/1

adsl 1/1 is
UP
, line protocol is
UP

Link Status

Up G.DMT

Line Type


Interleave

Line Length

10218 ft

Downstream

Upstream

Line Rate




608 kbps


160 kbps

Current margin



31.0 dB


31.0 dB

Attenuation



38.0 dB


24.0 dB

Power




17 dBm


11 dBm

Prev Rate





0 kbps



0 kbps

Actual Delay




4 msecs



4 msecs

Loss of Framing Seconds


0




0

Loss of Signal Seconds


0




0

Loss of Power Seconds



0




0

Errored Seconds




0




1

Line Inits




1



N/A

Rx Blocks




3630763



3630763

Tx Blocks




3630763



3630763

Corrected
Blocks



4



7619536

UncorrectedBlocks



0




4

Last Failure


NONE

Last Failure Time

N/A

DMT Bits Per Bin

000: 0 0 0 0 0 0 0 0 2 2 2 3 4 4 4 4

010: 4 4 4 4 4 4 4 4 3 3 2 2 2 2 0 0

020: 0 0 0 0 0 0 2 2 2 2 2 2 2 2 2 2

030: 2 2 2 3 3 3 3 3 3 2 2 2 2 2
2 2

040: 0 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

050: 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

060: 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

070: 2 2 2 2 2 2 0 2 2 3 3 3 2 2 2 2

080: 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

090: 2 2 2 0 0 2 2 2 2 2 0 0 0 2 2 0

0A0: 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0

0B0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0C0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0D0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0E0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0F0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0


! Note ATM interface is UP and one VCC (virtual circuit) is
active

ADSL
-
Router#
show int atm 1

atm 1 is
UP
, line protocol is
UP


BW 160 Kbit/s


16 maximum active VCCs, 16 VCCs per VP,
1 current VCCs

Queueing strategy: Per VC Queueing


5 minute input rate 33512 bits/sec, 0 packets/sec


5 minute output rate 3040 bits/sec, 0 packets/sec

69444 packets input, 62104316 bytes

0 pkts discarded, 0 error pkts, 0 unknown protocol pkts

1326184 cells received, 0 OAM cells received

51607 packets output, 5003320 bytes

0 tx pkts discarded, 0 tx error p
kts

128792 cells sent, 0 OAM cells sent


! Note ATM 1.1 sub
-
interface is Active, encapsulation Is AAL5 SNAP

! Note packets and celll input and output on interface

ADSL
-
Router#
show int atm 1.1

atm 1.1 is Active


ATM Routed Bridge Encapsulation: None


Encapsulation is
AAL5


Encapsulation method is
SNAP


VC tx ring limit: 2


Output Queue: 0/14/200/0 (size/highest/max total/drops)


69452 packets input, 63665904 bytes


51613 packets output, 6182592 bytes


1326373 cells input, 128804 cells output


0
OAM cells input, 0 OAM cells output


AAL5 CRC errors : 0


AAL5 SAR Timeouts : 0


AAL5 Oversized SDUs : 0


AAL5 length violations : 0


! Note the ATM PVC is Active

ADSL
-
Router
#show atm pvc

Encap


Peak


Avg/Min

Burst

Name


VPI

VCI

Type

SC

Kbps


Kbps


Cells


Status

atm 1.1

8

35

SNAP

N/A

0


0


0


Active


! Note the ppp interface is UP meaning that PPP Negotiation including the

! authentication has succeeded.

! In case of trouble, start a “debug ppp authentication”

! Note the IP info learn
t by the PPP interface:

! IP address, “Peer address” (router of ISP), DNS servers…

ADSL
-
Router
#show int ppp 1

ppp 1 is
UP


Configuration:



Keep
-
alive is set (10 sec.)



No multilink



MTU = 1500



Peer authenticates with
CHAP



IP is
configured



IP address
negotiated


Link thru atm 1.1 is
UP
; LCP state is
OPENED
, negotiated MTU is 1492



r
eceive: bytes=60384371, pkts=76385, errors=0



Transmit: bytes=3555522, pkts=58391, errors=0



5 minute input rate 25720 bits/sec, 4 pack
ets/sec



5 minute output rate 3064 bits/sec, 3 packets/sec


Bundle information



Queueing method: fifo



HDLC tx ring limit: 0



Output queue: 0/1/200/0 (size/highest/max total/drops)



IP is UP, IPCP state is
OPENED



Negotiated
Address=82.122.147.180 Mask=255.255.255.255



Peer address=193.253.160.3



DNS: Primary=80.10.246.130, Secondary=80.10.246.3



IP MTU=1492, Bandwidth=160 Kbps


LLDPCP State is STOPPED


! Lists the IP interfaces. They should be up.

! Note the IP address learnt on ppp 1

ADSL
-
Router#
show ip int brief


Interface

IP Address

Status

Protocol


eth 0/1

192.168.1.1

UP


UP


ppp 1


82.122.147.180

UP


UP


! Lists the IP Route. Default route 0.0.0.0/0 results from PPP negotiation

ADSL
-
Router#
show ip route

Codes:

C
-

connected, S
-

static, R
-

RIP, O
-

OSPF, B
-

BGP

IA
-

OSPF inter area, N1
-

OSPF NSSA external type 1

N2
-

OSPF NSSA external type 2, E1
-

OSPF external type 1

E2
-

OSPF external type 2


Gateway of last resort is 0.0.
0.0 to network 0.0.0.0


S

0.0.0.0/0 [1/0] via 0.0.0.0, ppp 1

C

82.122.147.180/32 is directly connected, ppp 1

C

192.168.1.0/24 is directly connected, eth 0/1

C

193.253.160.3/32 is directly connected, ppp 1




! After your start communications with the
Internet, view the NATed sessions


ADSL
-
Router
#show ip policy
-
sessions


Protocol (TTL)

Src IP Address

Src Port Dest IP Address Dst Port
NAT IP Address

NAT Port

---------------

--------

---------------

--------

-----------------

--------

Policy class
"FROM
-
LAN":

tcp (600)


192.168.1.3

3646

66.28.8.50

80

s 82.122.147.180

3729

tcp (600)


192.168.1.4

59227

192.168.1.1

2
2

udp (53)


192.168.1.4

54832

193.252.19.4

53

s 82.122.147.180

6088

udp (53)


192.168.1.4

54833

193.252.19.4

53

s 82.122.147.180

6089

udp (53)


192.168.1.4

54834

193.252.19.4

53

s 82.122.147.180

6090



!
-------------------------------------------------------------

! Configuration of 7xxx dl Procurve Router

! ADSL c
onnection using PPPOE

! Router connects to the ADSL modem via an
Ethernet connection

!
--------------------------------------------------------------

! What info do you need from your ISP?

!

Username or ID and password for your connection

!

Make sure PPPO
E is used by provider.

!

Other choice could be RFC 1483 Routed. Not yet supported but coming

!
--------------------------------------------------------------

hostname "ADSL
-
Router"

!

ip routing

!

! Enable Firewall


Required to define Access Policy

!
Access Policy is required to define NAT and Filters

ip firewall

!

!

!

!

! Define DHCP service for the LAN in the 192.168.1.0 range

ip dhcp
-
server excluded
-
address 192.168.1.1

!

ip dhcp
-
server pool "pool
-
for
-
lan"


network 192.168.1.0 255.255.255.0

! Foll
owing given by the provider


domain
-
name "wanadoo.fr"


dns
-
server 193.252.19.4 193.252.19.3


netbios
-
node
-
type h
-
node


default
-
router 192.168.1.1


lease 1

!

! Note you could also define your router as
DNS Proxy


! You have to 1) Define router as DNS
Server for DHCP Clients

! 2) Define the DNS Servers for the router with

!

ip name
-
server 193.252.19.4 193.252.19.3”

! 3) Define router as proxy with

!

ip domain
-
proxy

!

! The LAN Interface

interface eth 0/1


ip address 192.168.1.1 255.255.255.0

! Inbound traffic is NATed as stated in the Access
-
policy called FROM
-
LAN


access
-
policy FROM
-
LAN


no shutdown

!

! The LAN Interface connected to ADSL Modem.

interface eth 0/2


no ip address

! Interface is shut by default


no shutdown

! Don’t send LLDP

(Link Layer Discovery Protocol) frames to provider


no lldp send
-
and
-
receive

!

! On top of Ethernet we build a PPP interface used by IP as layer 2

interface ppp 1

! ip address is negotiated via PPP with provider’s router


ip address negotiated


no fai
r
-
queue

! Credentials sent by router to provider. CHAP is the authentication

! In case it’s PAP, use ppp pap sent
-
username… command

! If you don’t know what protcol is used, use either PAP or CHAP and
start

! “debug ppp authentication” to check what is req
uested by other side


ppp chap hostname id
-
given
-
by
-
isp


ppp chap password pw
-
given
-
by
-
isp

! Don’t send LLDP (Link Layer Discovery Protocol) frames to provider


no lldp send
-
and
-
receive


no shutdown

! We bind the ppp

interface to the Ethernet interface

! Note that we default to PPPOE


bind 1 eth 0/2 ppp 1


!

!

!

!

! ACL selects the traffic to be NATed

ip access
-
list extended OUR
-
LAN


remark used for Nat


permit ip any any

!

! To NAT (and possibly filter) tr
affic we apply Policy
-
class to the LAN
Interface

ip policy
-
class FROM
-
LAN


nat source list OUR
-
LAN interface ppp 1 overload

!

!

(skip)

!

end